“In my view, there is only one thing that
could absolutely destroy a company overnight, and that is [a lack of]
cybersecurity,” said Fannie Mae Chief Information Security Officer Anthony
Johnson during a panel discussion at the Mortgage Bankers Association annual
conference in San Diego last week.

“If
[mortgage companies] don’t build the processes and don’t have fundamental
backups and prepare for it, then you are really at the mercy of a technical
group who wants to destroy your company, and they absolutely can.”

Roger
Cressey, an NBC counter-terrorism analyst and former presidential adviser, said
during a speech at the conference, “You can’t stay ahead of the threat, that is
lesson number one. You will be breached.”

Jeff Bernstein, managing director of T&M Protection
Resources headquartered in New York City, said statements that treat cybercrime as an "existential threat" to individual companies and the financial sector as a whole are not mere hyperbole
meant to stoke fear. Several mortgage companies have had loan files breached, he said, even
if nonbank mortgage companies haven’t to date been the preferred target of hackers.

In a 2013 case involving W.J Bradley Mortgage Capital, for
instance, several former loan officers shared customer information with another
company not affiliated with W.J. Bradley, the company reported. In 2012, DHI Mortgage notified customers that hackers
compromised the company’s loan-prequalification system and accessed files.

More recently, HSBC Finance notified New Hampshire's attorney
general in April that it had discovered it was inadvertently
publishing customers' personal information, including names and social security
numbers, online. The company didn’t reveal how the breach occurred, according to newspaper
reports.

A growing problem

Bernstein said despite these breaches, mortgage providers haven’t been targeted as much as the
large banks and other sectors.

“I think that is going to change,” Bernstein said. “Nobody
else collects that information, not to that extent. Arguably, the mortgage
bankers and the mortgage lenders are a more compelling target than any
other sector out there because of the private data.”

Matthew Merlone,
director of product and fraud strategy at Interthinx, recently told Scotsman Guide News that cybercriminals have more commonly worked scams around home-equity loans than first mortgages. Merlone said, however, he was concerned that more cases of data theft and fraud would originate in cyberspace.

“They are selling
that information on a third market, or a third-party market on what is called
the dark Web,” Merlone said. “We are
going to see more of these things. We are going to see account takeovers where
payments are misdirected for first mortgages. We are starting to see a little
bit of that now.”

Merlone also said the mortgage market generally should pay
more attention to the threat.

“That is one area that I would like to see a focus group
come together and try and tackle cyberfraud for first mortgages,” Merlone said. “Because of this focus on compliance, I think as an
industry we are kind of taking our eye off the ball for the fraud risks
that are out there.”